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Abstract 

Several studies have considered control theory tools for traffic control 
in communication networks, as for example the congestion control issue in 
IP (Internet Protocol) routers. In this paper, we propose to design a linear 
observer for time-delay systems to address the traffic monitoring issue in 
TCP/AQM (Transmission Control Protocol/ Active Queue Management) 
networks. Due to several propagation delays and the queueing delay, the 
set TCP/AQM is modeled as a multiple delayed system of a particular 
form. Hence, appropriate robust control tools as quadratic separation are 
adopted to construct a delay dependent observer for TCP flows estimation. 
Note that, the developed mechanism enables also the anomaly detection 
issue for a class of DoS (Denial of Service) attacks. At last, simulations 
via the network simulator NS-2 and an emulation experiment validate the 
proposed methodology. 

1 Motivations and Contributions 

Internet is becoming the major communication network. It allows an in- 
creasing number of activities, ranging from web browsing, file exchanges to 
on-line games or IP telephony. Because of its increasing popularity, traffic mon- 
itoring tools have to be embedded into the network to supervise communications 
to ensure QoS (Quality of Service) or even to avoid security breaches. Two tech- 
niques can be used: 

Active monitoring [21j consists of generating probes into the network, and 
then to observe the impact of network components and protocols on traffic: 
loss rate, delays, RTT (Round Trip Time), capacity... However, since an addi- 
tional traffic (probes) is injected into the network, the major drawback is the 
disturbance induced by such traffic (it inevitably affects the current traffic). 
Intrusiveness of probe traffic is thus one of the key features which active moni- 
toring tools have to care about. 

Secondly, passive monitoring [S] refers to network measurements with appro- 
priate devices located at some relevant point in the network. Passive monitoring 
is performed on the capture of traffic and off-line estimate networks features. It 
provides a non intrusive method but not enough reactive. 
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Regarding the security problems, network anomalies typically refer to cir- 
cumstances when network operations deviate from the expected behavior. Net- 
work anomalies can be roughly classified into two categories. The first category 
is related to network failures and performance problems (like file server failures, 
broadcast storms, etc.). The second major category of network anomalies is 
security-related problems (like DoS or DDoS detections) in detecting active se- 
curity threats. A variety of tools for anomaly detection are mainly based on 
data packet signatures (i.e. specific formats of packages, packet headers) and 
the use of statistical profiles of the traffic. The natural variability of the traffic 
[19j produces important fluctuations of these measurements, inducing thus sev- 
eral false positives (false alarms) and false negatives (missed detections). Some 
studies have taken into account a richer form of the statistical structure of the 
traffic (correlation, spectral density ...) to design IDS or ADS (Intrusion or 
Anomaly Detection System) [9], [14] . 

In this paper, we propose to address the traffic monitoring issue in networks 
with the design of an observer. First, a dynamical model which describes the 
TCP flow rates behavior as well as a class of anomalies is introduced. Then, 
robust control tools, especially quadratic separation, are used to derive a conver- 
gence condition for the time delay observer. Basically, the observer, embedded 
at a router, uses the queue length measurement of the buffer to reconstruct the 
whole state composed of flow rates. However, this latter being related to the 
linearized model of TCP, traffic has to be regulated around an equilibrium point 
to ensure the validity of the observer model and a congestion control mechanism 
(as AQM, Active Queue Management) is thus required. Next, the model is ex- 
tended in order to detect a class of anomalies from the second category (attacks). 
Note that the proposed methodology allows on-line and non-intrusive monitor- 
ing (as active monitoring but without injecting probes into the network). Even 
if our study focuses on specific and static networks as explained in the next 
section, it shows encouraging results. 

The paper is organized as follows. The problem statement introducing the 
model of a network supporting TCP and the AQM congestion control is pre- 
sented in the second section. Then, the third part is dedicated to the design of 
an observer for the estimation of data flow rates as well as anomaly detection. 
The fourth section shows an illustrative example of the proposed theory using 
NS-2 simulations and emulations. Finally, the fifth section concludes the paper 
and proposes future works. 



2 NETWORK DYNAMICS 

2.1 Fluid-flow model of TCP 

This section is devoted to the introduction of the network model that de- 
scribes the traffic behavior. In this paper, we consider networks consisting of a 
single router and N heterogeneous TCP sources. By heterogeneous, we mean 
that each source is linked to the router with different propagation times (see 
Figure [T]) . 

Since the bottleneck is shared by N flows, TCP applies the congestion avoid- 
ance algorithm to avoid the network saturation pT]. Following the AIMD 
{Additive-Increase Multiplicative-Decrease) mechanism, the congestion window 
of TCP sources varies according to the network load state (packet losses and 
delays). Hence, various deterministic fluid-flow models have been developed 
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Figure 2: A single connection 



(see [TS], [U] and [53] and references therein) to describe the behavior of the 
transmission protocol. While many studies dealing with network control in the 
automatic control theory framework consider the model proposed by [17j . we 
use a more accurate one, introduced in [T5] and described by ((T]) which takes 
into account the forward and backward delays. The model and notations are as 
follow: 

r.(t-r.) 2 P^\^ 

_b{t)_ rj. _ f , b 

V '* ^ c ' -'-Pi ^ ' i ^ U J 

where Wi(i) is the congestion window size of the source i, b{t) is the queue length 
of the buffer at the router, is the RTT perceived by the source i. This latter 
quantity can be decomposed as the sum of the forward and backward delays (t/ 
and T^), standing for, respectively, the trip time from the source i to the router 
(the one way) and from the router to the source via the receiver (the return) 



(see Figure[5]). c, Tp. and N are parameters related to the network configuration 
and represent, respectively, the link capacity, the propagation time of the path 
taken by the connection i and the number of TCP sources, rji is the number of 
sessions established by source i. The signal pi{t) corresponds to the dropping 
probability of a packet at the router buffer. Note that the network variables 
mentionned above in model ([T]) are considered as mean values [15. (for instance, 
Wi{t) represents actually the average congestion window size). 

In this paper, the objective is to develop a method which computes, at the 
router and during congestion, an estimation of the different flow rates passing 
through it. The congestion window Wi does not provide a relevant index of the 
traffic intensity since it only refers to the amount of data sent by the source at a 
given instant. Consequently, additional frequent measures of the corresponding 
RTT are required. Hence, we propose to reformulate the model ^ such that 
the state vector is expressed in terms of aggregate flows instead of congestion 
windows. To this end, rates of each flow Xi, expressed as Xi{t) = will 
be considered. The dynamic of this new quantity becomes of the form Xi{t) — 
A ^ w.{t)-^,(t)Mt) _ Based on the expressions of W{t), h{t), n{t) (see 

equation ([T])) and f(t) = a new model of the TCP behavior is derived 
[ h{t) =~c + Y!^^^mxdt~Tl) 

2.2 AQM for congestion control 

To achieve high efficiency and high reliability of communications in computer 
networks, many investigations have been done regarding the congestion control 
issue. Since the congestion window size of the transmission protocol depends 
on packet losses (specifled by Pi{t)), a proposal was to use this feature in order 
to control the source sending rates. Hence, a mechanism, called AQM {Active 
Queue Management, see Figure[3]), has been developed to provoke losses avoiding 
then severe congestion, buffer overflow, timeout... This strategy allows the 
regulation of TCP flows with an implicit control (or explicit if the ECN, Explicit 
Congestion Notification, protocol is enabled). Various AQM have been proposed 
in the literature such as Random Early Detection (RED) [Bj, Random Early 
Marking (REM) [T], Adaptive Virtual Queue (AVQ) [23] and many others f^ . 
Their performances have been evaluated in [22] and empirical studies have shown 
their effectiveness. Recently, signiflcant studies initiated by ^ have redesigned 
AQMs using control theory and P, PI have been developed in order to cope 
with the packet dropping problem. Then, using dynamical model developed 
by |17j . many researches have been devoted to deal with congestion problem 
in a control theory framework (for examples see [T3], [12], [H] and references 
therein). 

So, AQM supports TCP for congestion control and regulates the queue 
length of the buffer as well as flow rates around an equilibrium point [T3], [H], 
[8] . An efficient control allows thus to approximate the TCP dynamics ([2]) as a 
linear model ^ around an equilibrium point ©. Our work focuses on traffic 
monitoring at a router with a static topology {N and rji are constant). Moreover, 
for the mathematical tractability, we make the usual assumption [IS], [5], [T2] 



Figure 3: Implementation of an AQM 



that all delays (r^, t/ and rf) are time invariant when they appear as arguments 
of variables (for example Xi{t — Ti{t)) = Xi{t — Ti)). This latter assumption is 
valid as long as the queue length remains close to its equilibrium value and when 
the queueing delay is smaller than propagation delays. Defining an equilibrium 
point 
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model ^ can be linearized to obtain: 
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around the equilibrium point ([3]). Matrices of the equation ^ are defined by 
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Figure 4: An interconnected system 



form since each component of the state vector is delayed by a different quantity 
related to the communication path. 



3 OBSERVER FOR TRAFFIC MONITORING 



3.1 Preliminaries 

First, and before designing the oberver, it is necessary to introduce the following 
theorem [2^ that provides stability condition for interconnected systems as 
illustrated in Figured This result is then used to cope with the delayed part of 
@ and to provide conditions for the convergence of the observer state to 

Theorem 1 Given two possibly non- squared matrices £, A and an uncertain 
matrix V belonging to a set S. The uncertain system represented by Figure\^ 
is stable for all matrices V ^ if and only if there exists a matrix 8 = 0* 
satisfying conditions 



The considered feedback system having the same form of Figure |4] is a linear 
equation connected to a linear uncertainty V. This result comes from robust 
control theory using the quadratic separation tools [TU] • The second inequality 
dS} is constructed based on some knowledge about the uncertain matrix V (for 
instance upperbounds, convex hull). Then, the first one (O is solved to assess 
the stability of the interconnection. Previous works have shown that such a 
framework provides convenient tools and a good insight into time delay systems 
stability issue. In that case, the delay system is represented as in Figure H] where 
V consists of some appropriate operators related to the delay. 

In the next part, Theorem [T] leads to conceive an observer that tracks 
the state of the multiple time delays system (HJ). 

3.2 Design of the observer 

Consider a network as illustrated in Figure [1] consisting of N TCP pairs, the 
traffic dynamic regulated by an AQM can be modeled around the equilibrium 
point as (see (H))) 
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( x{t) = Ax{t) + AdXd{t) + Bu{t) 
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Figure 5: Introduction of an additional non-TCP traffic as anomaly 
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1] 



and y(t) is the measured output i.e. the queue length at the router. In order 
to take into account extra traffic or non-modeled traffic (for example, traffics 
coming from applications over UDP protocol, see Figure[5]), an additional signal 
d{t) should be added to the queue dynamic (second equation in ([2])): 

b{t) ^ -c + d{t) +^r,,x,it - rf). 



This signal represents flows that pass through the router and fill up the buffer 
b{t) in addition to the expected traffic {N TCP connections). Notice that this 
feature can be used to model anomalies or DoS attacks (Denial of Service, [2]). 
In this paper, we consider some class of anomalies that are CBR (Constant 
Bit Rate) based applications which can be modeled as piecewise-constant func- 
tions. Such applications are met in streaming applications, video conferencing, 
telephony (voice services). Furthermore, the same modeling can also be used 
for some class of attacks |16j as traditional flooding-based DoS (for example 
Shrew) or PDoS (see [TB] and references therein). Consequently, assuming that 
d{t) is a piecewise-constant function, we propose to consider now the following 
augmented system which embeds the anomaly feature: 
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\ m = cx{t) 
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Let construct an observer for the augmented system ^ defined by: 

i{t) = Ax{t) + AdXd{t) + Bu{t) +L{y- Cx{t)) 



(9) 



where x(t) is the observer state and L is the observer gain. This latter matrix has 
to be designed such that x{t) converges to x{t). Notice that the pair {A + Ad, C) 
is observable which implies that there exists an observer (depending eventually 
on the delay) allowing the reconstruction of the states of system ([8|). 

Theorem 2 // there exists {N + 2) x {N + 2) positive definite matrices P, Qi 
and Si for i = {l,...,iV} and a matrix X G R(^'+2)x1 such that the following 
inequality holds 
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then system (0) is an observer for system I 
to x{t). The observer gain L is given by L 



PA - A^P + XC + C^X^ - Qi, 

i=l 

— 1n+2 





(11) 

(12) 

(13) 
(14) 

(15) 



I, i.e x{t) converges asymptotically 
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Proof 1 In order to prove the asymptotic convergence of x{t) to x{t), let us 
define the error between the state of and the one of the observer e{t) = 
x{t) — x{t). We aim to make sure that the error e{t) converges toward zero. 
Hence, the first problem can be recast as the .stability issue of system 



e{t) = {A-LC)e{t) + Aded{t). 
where ed{t) ~ Xd{t) — Xd(t). System il6\} is then rewritten as 
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Next, transforming the system |J7[ ) as an interconnected system of the form of 
Figure [7J Theorem [I] may be applied to derive the stability condition. System 
( [_??] ) is thus expressed as the interconnection of 
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and equation \19\) where V = diag "^i^^, . 

First, it can be proved that the separator \20(l satisfies the inequality (0) 
according to the matrix V defined as il8\) (proof is omitted because of the space 
limitation, it is an extension of to the case of multiple delays). 
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with 

Oil = diag (On+2, -Qi, • • • , -Qn, -Ri^f , . . . , -Rnt^ 

612 = diag 02n(n+2)) 

822 = diag (Oim+2, Qi, . . . , Qn, Ri, ■ • ■ , Rn) 

P, Qi and Ri Vi G [1, N] are positive definite matrices. So, system il6]) is stable 
if the inequality with £ and A defined as U9\) is verified. Some algebraic 
calculations show this latter is of the form 
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and Mi is defined in il5\) . S2 and S3 are then equivalently rewritten as 
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respectively. Defining Si — PRi ^P and knowing that {P ~ Si)'^ S,^ ^{P — Si) > 
which yields to PS^^P > 2P — Si, inequality Si — S2 + S3 > with S3 defined 
in implies k21\) . Applying a schur complement to this latter inequality and 

defining X — PL, condition ilO\) is recovered. 



4 SIMULATION AND EMULATION 
4.1 NS-2 simulation 

This section is dedicated to elucidate the proposed methodology through an 
illustrative example. As shown in Figure [SI a network consisting of three com- 
municating pairs through a congested router, i.e. a bottleneck, is considered. 
Propagation times are as illustrated and the link bandwidth is fixed to lOMbps, 



that is 2500 packet/s considering packet size of 500 bytes. Each of the three 
sources uses TCP/Reno and estabUshes 20 connections generating long hved 
TCP flows (Hke FTP connections). Simulations have been performed with the 
network simulator NS-2 [S] (release 2.30) to validate the exposed theory. 
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Figure 6: Example of a bottleneck link 



The three TCP sources share the single link and a congestion phenomenon 
occurs at the first router. So, to control the queue length of the buffer (avoiding 
then overflows), an AQM is embedded in the router. If an efficient regulation is 
maintained, the proposed linear observer ^ can be added in the router for flow 
monitoring. In our example, the observer have been tested over AQM gain-K 
[15] . This latter is adjusted such that it regulates the queue length of the router 
to a desired level bo = 100 packets while the maximal buffer size is set to 400 
packets. 

Given the topology in Figure [51 the previous speciflcations and the equilib- 
rium point ([3|), the observer is then written as 
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where the observer gain L ensures the convergence of x{t) to the real state x. 
Applying Theorem[2 such a matrix gain can be found: L — [0.28 0.46 0.45 1.76 0.54] . 
Prior theoritical simulations with the non linear model ^ under Matlab/Simulink 
show that the mechanism works well (see Figure [71) . Then, we have performed 
a simulation of 400s on NS-2 where the 20 ftp connections of each three TCP 
sources send data to their respective receivers. An additional non responsive 
traffic generated by 3 UDP (user datagram protocol) traffic (at 1Mbps each 
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Figure 7: Observer over gain-K: original/estimated states and anomaly detec- 
tion (non linear simulation on Matlab) 



one) is injected into the bottleneck as illustrated in Figure [S) This latter simu- 
lates a CBR anomaly and is introduced at intervals: 150 — 170s, 250 — 270s and 
300 - 320s. 

Estimation of the state and instantaneous measures are compared (the queue 
length and sending rates) as well as the anomaly detection "sensor" is illustrated 
in Figure [S] Results show that reconstructing the state of model ([U, the time- 
delay observer ^ is able to provide an estimation of TCP flow rates only based 
on the queue length measurement. Furthermore, the augmented model ([8]) al- 
lows the observer to detect also non-modeled piecewise constant traffic. Hence, 
as it can be seen in Figure [SJ although the anomaly does not affect the queue 
(this attack is invisible from the buffer measurement), the mechanism can clearly 
detect the three UDP anomalies. 

Remark 1 Regarding to NS-2 simulations, Figure\^ the estimated state follows 
the linearized model @) which considers the network mean variables whereas the 
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Figure 8: Observer over gain-K: original/estimated states and anomaly detec- 
tion (simulation on NS) 



Table 1: Average of measure/estimated of flow rates 
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Figure 9: Emulation with real-time NS 



original state measured in NS gives instantaneous values. That is why such large 
oscillations around estimated signals are obtained for the measurements. 

Table HH] shows that the observer state matches average flow rates. 
4.2 Emulation 

Going further than simulations, another example is proposed considering now 
emulation experiment. Emulation refers to experiments that introduce the sim- 
ulator into a live network. Indeed, the NS environment provides special objects 
that allow the simulator to interact (catch and inject) real traffics using a real- 
time scheduler (see T and Figure [9]). 

Regarding our study, the NS environment will be embedded in the computer 
that plays the role of the routers and other computers will generate and receive 
the traffic. Hence, the bottleneck and the observer are emulated while a real 
TCP traffic is handled and monitored. 

However, since the emulator requires a high computational cost, numerical 
values of the example must be scaled down (reducing the bandwidth). The 
considered example is illustrated in Figure 1101 Source traffics are generated 
with the network tool Iperf ^TS\ . Applying a congestion control mechanism, the 
queue size of the buffer is regulated (see Figure llip and a linear observer can 
thus be developed according to the appropriate equilibrium point. Results of 
the emulation are shown in Figure [T^ 

As it has been noticed in Remark 1, the state of the observer corresponds 
to average rates (see Table 14?!]) . Because of the network load (3 heavy data 
streams by source which cause congestion phenomenon) , Iperf gives measures of 
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Figure 10: Second example of a bottleneck link 
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Figure 11: Observer over gain-K: regulation of the queue length 




Figure 12: Observer over gain-K: original/estimated of rates 



the rate at a sampling period of 5s. That is why, in Figure [T^ measures appear 
dispersed around the estimation. 

A network emulator may be considered as an hybrid between a network 
simulator and a protocol implementation. Future works concern the real im- 
plementation of the AQM/observer into the Linux kernel to enable whole real 
experiments and real traffic monitoring in high speed networks. 



5 CONCLUSIONS AND FUTURE WORKS 

In this paper, robust control theory tools have been used to design an 
observer for traffic monitoring purpose. This latter is embedded in a router 
and provides TCP flows estimations which pass through it. However, since the 
proposed observer is linear, an AQM that regulates the traffic around an equi- 
librium point is required. Besides, an augmented model is developed and the 
associated observer allows the detection of a class of anomalies in order to pre- 
vent potential malicious traffic as DoS attacks. 

Future works concerns modeling studies of other existing DoS or DDoS 
attacks to endow the observer (by model augmentation) of a larger versatile 
anomaly detection system. Another point is the development of a non linear 
observer able to reconstruct the state, thus the traffic, without the AQM re- 
quirement. 
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